From fa29e0b5cad9c2fd976d62a5d16c40812ff1ee3b Mon Sep 17 00:00:00 2001
From: Nathaniel Catchpole <catch@35733.no-reply.drupal.org>
Date: Wed, 4 Mar 2015 15:08:31 +0000
Subject: [PATCH] Issue #2443571 by larowlan, Berdir: Port SA-CONTRIB-2015-052

---
 .../basic_auth/basic_auth.services.yml        |  4 +++
 .../PageCache/DisallowBasicAuthRequests.php   | 33 +++++++++++++++++++
 .../Tests/Authentication/BasicAuthTest.php    | 17 ++++++++++
 .../router_test.routing.yml                   |  2 ++
 4 files changed, 56 insertions(+)
 create mode 100644 core/modules/basic_auth/src/PageCache/DisallowBasicAuthRequests.php

diff --git a/core/modules/basic_auth/basic_auth.services.yml b/core/modules/basic_auth/basic_auth.services.yml
index a0d436866a6..982afb206d0 100644
--- a/core/modules/basic_auth/basic_auth.services.yml
+++ b/core/modules/basic_auth/basic_auth.services.yml
@@ -4,3 +4,7 @@ services:
     arguments: ['@config.factory', '@user.auth', '@flood', '@entity.manager']
     tags:
       - { name: authentication_provider, priority: 100 }
+  basic_auth.page_cache_request_policy.disallow_basic_auth_requests:
+      class: Drupal\basic_auth\PageCache\DisallowBasicAuthRequests
+      tags:
+        - { name: page_cache_request_policy }
diff --git a/core/modules/basic_auth/src/PageCache/DisallowBasicAuthRequests.php b/core/modules/basic_auth/src/PageCache/DisallowBasicAuthRequests.php
new file mode 100644
index 00000000000..37f6d642791
--- /dev/null
+++ b/core/modules/basic_auth/src/PageCache/DisallowBasicAuthRequests.php
@@ -0,0 +1,33 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\basic_auth\PageCache\DisallowBasicAuthRequests.
+ */
+
+namespace Drupal\basic_auth\PageCache;
+
+use Drupal\Core\PageCache\RequestPolicyInterface;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Cache policy for pages served from basic auth.
+ *
+ * This policy disallows caching of requests that use basic_auth for security
+ * reasons. Otherwise responses for authenticated requests can get into the
+ * page cache and could be delivered to unprivileged users.
+ */
+class DisallowBasicAuthRequests implements RequestPolicyInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function check(Request $request) {
+    $username = $request->headers->get('PHP_AUTH_USER');
+    $password = $request->headers->get('PHP_AUTH_PW');
+    if (isset($username) && isset($password)) {
+      return self::DENY;
+    }
+  }
+
+}
diff --git a/core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php b/core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php
index 13c74df6af5..65557177175 100644
--- a/core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php
+++ b/core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php
@@ -29,6 +29,12 @@ class BasicAuthTest extends WebTestBase {
    * Test http basic authentication.
    */
   public function testBasicAuth() {
+    // Enable page caching.
+    $config = $this->config('system.performance');
+    $config->set('cache.page.use_internal', 1);
+    $config->set('cache.page.max_age', 300);
+    $config->save();
+
     $account = $this->drupalCreateUser();
     $url = Url::fromRoute('router_test.11');
 
@@ -36,6 +42,8 @@ class BasicAuthTest extends WebTestBase {
     $this->assertText($account->getUsername(), 'Account name is displayed.');
     $this->assertResponse('200', 'HTTP response is OK');
     $this->curlClose();
+    $this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
+    $this->assertIdentical(strpos($this->drupalGetHeader('Cache-Control'), 'public'), FALSE, 'Cache-Control is not set to public');
 
     $this->basicAuthGet($url, $account->getUsername(), $this->randomMachineName());
     $this->assertNoText($account->getUsername(), 'Bad basic auth credentials do not authenticate the user.');
@@ -56,6 +64,15 @@ class BasicAuthTest extends WebTestBase {
     $this->assertNoLink('Log out', 'User is not logged in');
     $this->assertResponse('403', 'No basic authentication for routes not explicitly defining authentication providers.');
     $this->curlClose();
+
+    // Ensure that pages already in the page cache aren't returned from page
+    // cache if basic auth credentials are provided.
+    $url = Url::fromRoute('router_test.10');
+    $this->drupalGet($url);
+    $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'MISS');
+    $this->basicAuthGet($url, $account->getUsername(), $account->pass_raw);
+    $this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
+    $this->assertIdentical(strpos($this->drupalGetHeader('Cache-Control'), 'public'), FALSE, 'No page cache response when requesting a cached page with basic auth credentials.');
   }
 
   /**
diff --git a/core/modules/system/tests/modules/router_test_directory/router_test.routing.yml b/core/modules/system/tests/modules/router_test_directory/router_test.routing.yml
index 911bba0ae8d..97b0b0c1fcf 100644
--- a/core/modules/system/tests/modules/router_test_directory/router_test.routing.yml
+++ b/core/modules/system/tests/modules/router_test_directory/router_test.routing.yml
@@ -48,6 +48,8 @@ router_test.8:
 
 router_test.10:
   path: '/router_test/test10'
+  options:
+    _auth: [ 'basic_auth', 'cookie' ]
   defaults:
     _controller: '\Drupal\router_test\TestContent::test1'
   requirements: